« Speeding up the build… | Home | Learning another lang… »

Cisco VPN for Win7 x64

09 08 09 - 00:42

The Cisco VPN client won't run on 64bit versions of windows, and Cisco has no plans to ship a 64 bit client anytime soon.  In order to get VPN working on my shiny new Windows 7 x64 install, I tried to get the Cygwin/linux vpnc client working.  I ran into a number of problems, so this post explains how it can be done and hopefully will help you avoid the same problems I had.  I spent a lot of time researching information on the 'net, and wound up tweaking steps a bit and hacking scripts myself, but much of this is based on work by Li Zhao and Salty.

NOTE: update 22 Mar 2010 - The Shrew.net client supports Win7 now, and seems to work flawlessly. It’s a much better option if you don’t already have a need for Cygwin. 

To get Cisco VPN working on an x64 Windows 7, you need:

• Cygwin - a wonderful set of tools to emulate a linux environment on windows
• OpenVPN - to provide a virtual TAP network adapter
• VPNC - the VPN Client

Here's how to do it:
I turned off UAC for the purposes of getting all of this installed.  I ran into a number of permissions issues and false starts when I left it turned on.  This reduces the number of things that can go wrong in the install process, particularly with Cygwin.  Feel free to turn UAC back on after the install process if you're so inclined. 

Install Cygwin:

• Download cygwin http://www.cygwin.com/setup.exe installer and save to your hard drive (don't just run it directly)
• Right-click on the setup file, and 'Run as administrator'. This may not actually be neccesary but it makes me feel good.
• Accept defaults except for local packages directory - I changed that to c:\cygwin\packages.  Saving stuff to my desktop is annoying.
• Choose a mirror to download packages from.  Choose something physically close to you.
• Choose the following additional packages to include:  (choose them by clicking on the word 'skip' in the 'New' column)
  • Devel > gcc-g++: C++ Compiler
  • Devel > make: The GNU version of the 'make' utility
  • Libs > libgcrypt: A general purpose crypto library based on the code from GnuPG
  • Libs > libgcrypt-devel: A general purpose crypto library based on the code from GnuPG (development)
  • Libs > libgpg-error: A library that defines common error values for GnuPG
  • Perl > perl: Larry Wall's Practical Extraction and Reporting Language
• The rest of the cygwin install process is pretty obvious; just a couple more mouse clicks.

Install OpenVPN:

• Download the latest OPENVPN release candidate from http://openvpn.net/index.php/open-source/downloads.html
• The version I downloaded was: http://openvpn.net/release/openvpn-2.1_rc19-install.exe
• Save it to your hard drive somewhere you can find it.
• Make sure to run the installer as an administrator and in windows vista compatibility mode:  (this IS neccesary!!)
  • Open up windows explorer to that location.
  • Right click on the file you saved, and select 'properties'
    • Select the 'compatibility' tab
    • In the Compatibility mode section, check the box 'Run this program in compatibility mode for:', choose Windows Vista (service pack 2)
    • In the Privilege Level section, check the box 'Run this program as an administrator'
    • OK/Apply the settings.
• Now run the installer.  Agree to the license agreement. 
• Uncheck all of the options EXCEPT for: 'TAP Virtual Ethernet Adapter', and 'add shortcuts to Start Menu' (in case you want to add another vpn connection)
• Install to default location.
• The installer should have created a TAP adapter in Control PanelNetwork and InternetNetwork Connections.  It's probably called Local Area Connection 2.  You NEED to rename it to something without a space in the name and something you'll remember.  I called mine 'CiscoVPN'.

Build and install VPNC:

• Download the latest release of vpnc from : http://www.unix-ag.uni-kl.de/~massar/vpnc/ I got http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.5.3.tar.gz
• Save the file to a convenient temporary location, such as c:\cygwin\tmp
• Right click on the Cygwin Bash Shell shortcut (should be on your desktop and/or start menu) and select 'Run as administrator' to open up a cygwin bash command prompt.  IT IS CRITICAL THAT YOU RUN THIS AS ADMINISTRATOR OR YOU WILL FAIL AT CERTAIN POINTS IN THIS PROCESS SILENTLY!!!
• Now extract the contents of the file and change to the extracted folder:

$ cd /tmp
$ tar xvfz vpnc<tab>
$ cd vpnc<tab>

• Now, compile it with make:

$ make
$ make PREFIX=/usr install
$ mkdir /var/run/vpnc

• For or some reason my own Cygwin install did not put /usr/sbin into the 'path' environment variable.  Not sure why that is.  You could add c:\cygwin\usrs\bin into your system path via advanced system properties in Windows, but here's how I fixed it:  I edited my .bashrc file (found in your 'home' directory: /home/<username>/.bashrc ), and added these two lines:

export PATH=${PATH}:/usr/local/bin
export PATH=${PATH}:/usr/sbin/ 

• You'll want to logout out of the bash shell and login again to have that take effect.  REMEMBER TO 'RUN AS ADMINISTATOR'
• You can check to make sure you can 'find' vpnc with this command:

$ which vpnc
/usr/sbin/vpnc

Repair the VPN Routing configuration script:

• This is the bit that's broken in Win 7, or perhaps all x64 bit OS.  The script in question is: /etc/vpnc/vpnc-script-win.js.  I've posted my updated script here: Note that I added a bunch of debugging information to the script.  You can make it much quieter by removing or commenting out the two echo commands inside the run function definition on lines 17 and 19.
• The script supplied with vpnc relies on the execution of the "route print" command to extract the default gateway on this computer.  For some reason the results of that command do not format the default gateway information in Win 7 x64 in the expected manner (perhaps other versions as well - I've seen references to this problem with Vista x64).
• To fix the script, you need to replace the function getDefaultGateway with this one I hacked together:

function getDefaultGateway()
{
    var output =   run( "route print 0.0.0.0"  ) ;
    var pos = output.indexOf("0.0.0.0          0.0.0.0      ") + 30;
    var gw = output.substring(pos,pos+15); // max length of ip address
    gw = gw.substring(0,gw.indexOf(" ")); // trim at first space...
    echo("Default Gateway: [" + gw + "]");
    return gw;   
}

• I suck at regular expressions so I didn't try to use them for this.  If you're better with regular expressions than I am feel free to post a comment with an improved function. 
• I also found it neccessary to add a smal pause to the script before adding the internal routes. Without the pause, the 'route add' commands were not adding correct routes in every case. 

echo("Pausing for 4 seconds to allow the adapter to register itself correctly and therefore correct routing inferences made. You may need to supply a longer delay.");
 WScript.Sleep(4000); 

• I put that sleep command just before line: if (env("CISCO_SPLIT_INC")) { 
• I also noticed that after disconnecting (ctrl-c), there were still stray routes in the route table.  I'm not sure that it matters because the route to the main vpn gateway is properly removed, but I went ahead and added some code to remove all of the routes added by the script when disconnecting:

run("route delete " + env("VPNGATEWAY") + " mask 255.255.255.255");
 
 //remove internal network routes
 if (env("CISCO_SPLIT_INC")) {
  for (var i = 0 ; i < parseInt(env("CISCO_SPLIT_INC")); i++) {
   var network = env("CISCO_SPLIT_INC_" + i + "_ADDR");
   run("route delete " + network );
  }

• Alternatively, I've posted an updated file here: Just copy that to your /etc/vpnc folder.

Create your VPNC Configuration file:

• You need to convert your old Cisco .pcf file into a config file for vpnc in order to get the shared secret included in that file carried over correctly, and to make sure you have the ip address of the vpn gateway, etc.  So, first copy your existing cisco .pcf file into somewhere convenient.  /tmp is pretty convenient. Then run the pcf2vpnc utility:

$ cd /tmp
$ pcf2vpnc <old Cisco filename>.pcf /etc/vpnc/<profilename>.conf

• <profilename> is whatever unique name you want it to be.  Note that we're saving the new configuration file to /etc/vpnc.  You could always copy the created file to that location later.
• Now, edit the file it created with your favorite unix friendly editor.  Windows Notepad is no good.  Go download Notepad++ right now; I'll wait.  Got it? OK. Open the file /etc/vpnc/<profilename>.conf
• You'll need to add a few items to the file:

Interface name <NameOfTheInterfaceYouPickedEarlier> # mine is: CiscoVPN
Interface mode tap
Pidfile /var/run/vpnc/<uniqueName>.pid # need a unique one per profile, so may as well use <profilename>.pid
Local Port 0  #auto selects a port
NAT Traversal Mode force-natt
No Detach

• You really shouldn't do it, but you can also enter your password in this config file if you don't mind that password being there in plain text. The syntax for that is:

Xauth password <yourpassword>  # You've got a secure computer, right? Really? Are you sure?

• If you have any trouble, you can add a debug flag to your config file:

Debug 1     # valid values: 1-3, 99.  99 = everything, including authorization information (passwords), so be careful

Putting it all together:

• Actually there's not much to put together, you just need to use your shiny new vpnc command:

$ vpnc <profileNameWithoutExtension>

• You could drop that command into an executable file to save a few keystrokes.  I'll leave figuring out how to launch the cygwin bash shell and executing that command from a windows batch file (and so an icon on your desktop) up to you.  

I hope this works for you, but I can't guarantee anything!  Feel free to post comments with your experiences.

Update 10 Aug 09:

I have had issues with routing within the network if the vpn concentrator provides me with a new IP address.  I'm not sure exactly why that happened or what to do in order to fix the routing - I'm not a network routing guru.  I did figure out how to work around this issue though.  In Control Panel\Network and Internet\Network Connections I went to the TCP/IPv4 settings and switched to dhcp ('obtain an IP address automatically, Obtain DNS server address automatically).  These settings are overwritten when connecting to the vpn again, but for some reason making that change clears out something so that when connecting via vpnc the routing works again.  For today anyways. :)

Cheers, 

Allan

Used tags: technology_vpn_cygwin